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Amendments to the Claims : 

The following listing of claims will replace all prior versions, and listings, of claims in 
the application: 

1 . (Currently Amended) A method of establishing a security policy for a 
predetermined organization, the method comprising: 

a draft preparation step of preparing a security policy draft , wherein the draft 
preparation step includes preparing inquiries, wherein the security policy draft is prepared on 
the basis of answers to the prepared inquiries and an information system is virtually designed 
on the basis of the answers of the prepared inquiries ; 

an analysis step of examining a difference between the security policy draft 
and realities of the organization;-and 

an adjustment step of adjusting the security policy draft on the basis of the 
difference or adjusting operation rules of an actual information system belonging to the 
organization on the basis of the difference ; and 

an establishment step of establishing the security policy . 

2. (Currently Amended) The method of establishing a security policy according 
to claim 1, wherein the draft preparation step comprises: 

a preparation step of preparing the inquiries to be submitted to members of an 

organization; 

an inquiry step of submitting the prepared inquiries to the members; 

an answer acquisition step of acquiring from the members answers to the 

inquiries; and 

a drafting step of preparing ar -the security policy draft on the basis of the 

answers. 
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3. (Original) The method of establishing a security policy according to claim 2, 
wherein the preparation step involves preparation of inquiries on the basis of job 
specifications of members to be inquired. 

4. (Original) The method of establishing a security policy according to claim 2, 
wherein the answer acquisition step includes at least one of the steps of: 

integrating the answers acquired from a single member from among the 
acquired answers and storing the integrated answers into storage means as answers of a single 
member to be inquired; 

re-submitting inquiries to members if contradictory answers are included in the 
answers, to thereby resolve contradiction, and storing the answers into the storage means; and 

assigning weights to answers according to job specifications of the members to 
be inquired if contradictory answers are included in the answers, to thereby estimate answers 
and show the estimated answers. 

5. (Currently Amended) The method of establishing a security policy according 
to claim 2, wherein the analysis step comprises at least one of: 

a contradiction inspection step of inspecting whether or not contradictory 
answers are included in the answers; 

a first difference detection step of inspecting a difference between an-the 
information system virtually designed on the basis of the answers and the security policy, by 
means of comparison; and 

a second difference detection step of verifying the virtually-designed 
information system by means of examination of a real information system and inspecting a 
difference between the verified information system and the security policy draft by means of 
comparison. 
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6. (Original) The method of establishing a security policy according to claim 5, 
further comprising a measurement step of devising measures addressing the inspected 
difference in conjunction with the priority of the measures. 

7. (Original) The method of establishing a security policy according to claim 1 , 
further comprising a diagnosis step of diagnosing the security state of the organization, 
wherein a result of diagnosis performed in the diagnosis step is submitted to the organization, 
wherewith the organization can become conscious of a necessity for a security policy. 

8. (Original) The method of establishing a security policy according to claim 6, 
further comprising: 

a priority planning step of planning, in sequence of priority, implementation of 
the security measures which have been devised with priority, thereby embodying a budget of 
the organization. 

9. (Original) The method of establishing a security policy according 

to claim 8, wherein the security measures comprise constructing a system for managing the 
establishing a security policy: 

introduction of a security system; 

training for compelling employees to respect a security policy; 
analysis of system logs; 
monitoring of a network; 

auditing operations on the basis of the security policy; and 
reviewing the security policy. 

10. (Original) The method of establishing a security policy according to claim 8, 
further comprising: 

a security enhancement measures implementation step of implementing the 
security measures in accordance with the plan. 
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1 1 . (Currently Amended) A method of establishing a security policy comprising: 
a preparation step of preparing inquiries to be submitted to members of an 

organization; 

an inquiry step of submitting the prepared inquiries to the members; 

an answer acquisition step of acquiring from the members answers to the 

inquiries; and 

an establishment step of establishing a security policy on the basis of the 

answerSi 

wherein the answer acquisition step includes at least one of the steps of: 

integrating the answers acquired from a single member from among the 

acquired answers and storing the integrated answers into storage means as answers of a single 
member to be inquired; 

re-submitting inquiries to members if contradictory answers are 

included in the answers, to thereby resolve contradictions and storing the answers into the 
storage means; and 

assigning weights to answers according to job specifications of the 

members to be inquired if contradictory answers are included in the answers, to thereby 
estimate answers and display the estimated answers. 

12. (Original) The method of establishing a security policy according to claim 11, 
wherein the preparation step involves preparation of inquiries on the basis of job 
specifications of members to be inquired. 

13. (Canceled). 

14. (Original) The method of establishing a security policy according to claim 11, 
wherein the establishment step involves establishment of three levels of security policies: 
namely, 
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an executive-level security policy which describes the organization's concept 
and policy concerning information security, in conformity with global guidelines; 

a corporate-level security policy which describes an information security 
system embodying the executive-level security policy; and 

a product-level security policy which describes measures to implement the 
executive-level security policy with reference to the corporate-level security policy. 

15. (Original) The method of establishing a security policy according to claim 14, 
wherein the corporate-level security policy describes standards for the information security 
system of the overall organization; and standards for individual equipments constituting the 
information security system of the organization. 

16. (Original) The method of establishing a security policy according to claim 14, 
wherein the product-level security policy includes two types of product-level policies; 
namely, 

a first-level security policy describing settings of individual equipment 
constituting the information security system in natural language; and 

a second-level security policy describing settings of individual equipment 
constituting the information security system in specific language used in specific equipments. 

17. (Original) The method of establishing a security policy according to claim 1 1, 
further comprising an analysis step of examining a difference between the security policy 
draft and realities of the organization; 

the analysis step further comprising at least one of 

a contradiction inspection step of inspecting whether or not contradictory 
answers are included in the answers; 
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a first difference detection step of inspecting a difference between the security 
policy and an information system virtually designed on the basis of the answers, by means of 
comparison; and 

a second difference detection step of verifying the virtually-designed 
information system by means of examination of a real information system and inspecting a 
difference between the verified information system and the security policy draft, by means of 
comparison. 

18. (Original) The method of establishing a security policy according to claim 17, 
further comprising a measurement step of devising measures to the inspected difference, in 
conjunction with the priority of the measures. 

19. (Currently Amended) An apparatus of establishing a security policy 
comprising: 

inquiry preparation means for preparing inquiries to be submitted to members 
of an organization; 

storage means for storing answers to the inquiries; 

answer archival storage means for acquiring from the members the answers to 
the inquiries and storing the answers into the storage means; and 

establishment means for establishing a security policy on the basis of the 
answers stored in the storage means a 

wherein the answer archival storage means further performs at least one of: 

integrates the answers acquired from a single member from among the 

acquired answers and stores the integrated answers into the storage means as answers of a 
single member to be inquired; 
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re-submits inquiries to members if contradictory answers are included 

in the answers, to thereby resolve contradiction, and stores the answers into the storage 
means; and 

assigns weights to answers according to job specifications of the 

members to be inquired if contradictory answers are included in the answers, to thereby 
estimate answers and display the estimated answers . 

20. (Original) The apparatus for establishing a security policy according to claim 
19, wherein the inquiry preparation means prepares inquiries to be submitted to the members 
to be inquired, on the basis of job specifications of the members to be inquired. 

21. (Canceled) 

22. (Original) The apparatus for establishing a security policy according to claim 
19, wherein the establishment means establishes three levels of security policies: namely, 

an executive-level security policy which describes the organization's concept 
and policy concerning information security, in conformity with global guidelines; 

a corporate-level security policy which describes an information security 
system embodying the executive-level security policy; and 

a product-level security policy which describes measures to implement the 
executive-level security policy with reference to the corporate-level security policy. 

23. (Original) The apparatus for establishing a security policy according to claim 
22, wherein the corporate-level security policy describes standards for the information 
security system of the overall organization; and standards for individual equipments 
constituting the information security system of the organization. 

24. (Original) The apparatus for establishing a security policy according to claim 
22, wherein the product-level security policy includes two types of product-level policies; 
namely, 
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a first-level security policy describing settings of individual equipments 
constituting the information security system in natural language; and 

a second-level security policy describing settings of individual equipments 
constituting the information security system in specific language used in specific equipments. 

25. (Withdrawn) A method of assessing the state of security of an organization, 
the method comprising: 

an inquiry preparation step of preparing inquiries to be submitted to members 
of an organization; 

an inquiry step of submitting the prepared inquiries to the members; 

an answer acquisition step of acquiring from the members answers to the 

inquiries; and 

a security state assessment step of assessing the state of security on the basis of 

the answers. 

26. (Withdrawn) The method of assessing the state of security of an organization 
according to claim 25, wherein the inquiry preparation step involves preparation of inquiries 
on the basis of job specifications of members to be inquired. 

27. (Withdrawn) The method of assessing the state of security of an organization 
according to claim 25, wherein the answer acquisition step involves integration of previous 
answers and acquired answers in a case where the answers are provided by an member to be 
inquired who has provided answers before, and involves storage of the integrated answers 
into storage means as answers from a single member to be inquired. 

28. (Withdrawn) The method of assessing the state of security of an organization 
according to claim 25, wherein the assessment of a security state includes 

assessment of security of the organization; 
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average assessment of security of the other organizations included in an 
industry to which the organization pertains; and 

the highest security assessment which is considered to be attainable by 
organizations in the industry to which the organization pertains. 

29. (Withdrawn) The method of assessing the state of security of an organization 
according to claim 25, wherein the assessment of a security state includes scores assigned to 
the following items; namely, 

understanding and attitude concerning security; 
a security system of the organization; 
response to unexpected accidents; 
preparation of a budget for security; and 
measures to improve security. 

30. (Withdrawn) An apparatus of assessing the state of security of an 
organization, the apparatus comprising: 

preparation means of preparing inquiries to be submitted to members of the 

organization; 

storage means for storing answers to the inquiries; 

answer archival storage means of acquiring from the members the answers to 
the inquiries and storing the answers into the storage means; and 

security maturity preparation means for preparing a security maturity report 
representing the degree of maturity of security, on the basis of the answers stored in the 
storage means. 

3 1 . (Withdrawn) The apparatus for assessing the state of security of an 
organization according to claim 30, wherein the answer archival storage means integrates 
previous answers and acquired answers in a case where the answers are provided by a 

-10- 



Application No. 09/853,708 

member to be inquired who has provided answers before, and stores the integrated answers 
into the storage means as answers from a single member to be inquired. 

32. (Withdrawn) The apparatus for assessing the state of security of an 
organization according to claim 30, wherein the security maturity report includes 

the degree of maturity of the organizations security; 

the average degree of maturity of security of other organizations included in an 
industry to which the organization pertains; and 

the highest degree of maturity of security which is considered to be attainable 
by organizations in the industry to which the organization pertains. 

33. (Withdrawn) The apparatus for assessing the state of security of an 
organization according to claim 30, wherein the security maturity report includes scores 
assigned to the following items; namely, 

understanding and attitude concerning security; 
a security system of the organization; 
response to unexpected accidents; 
preparation of a budget for security; and 
measures to improve security. 

34. (Withdrawn) An analyst for analyzing a difference between a security policy 
and an information system of an organization, comprising 

contradiction inspection means for inspecting whether or not contradiction 
exists between individual answers in response to inquiries submitted to members of the 
organization; and 

contradiction output means for outputting information about the inspected 

contradiction. 
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35. (Withdrawn) The analyzer for analyzing a difference between a security 
policy and an information system of an organization according to claim 34, further 
comprising: 

indicating means for indicating the contradiction on the basis of the 
information about contradiction; 

establishment means for virtually establishing an information system for the 
organization on the basis of the answers free of contradiction; and 

difference output means for outputting a difference between the configuration 
of the virtually-established information system and a security policy, by means of 
comparison. 

36. (Withdrawn) The analyzer for analyzing a difference between a security 
policy and an information system of an organization according to claim 35, further 
comprising: 

real system input means for examining the information system of the 
organization and entering the configuration of the information system; and 

difference output means which verifies the virtually-established information 
system by reference to the configuration of the information system and outputs a difference 
between a security policy and the configuration of the virtually-established information 
system which has been verified, by means of comparison. 

37. (Original) The method of establishing a security policy according to claim 2, 
wherein, in the inquiry preparation step, the inquiries are generated in accordance with the 
line of business of the organization. 

38. (Original) The method of establishing a security policy according to claim 11, 
wherein, in the inquiry preparation step, the inquiries are generated in accordance with the 
line of business of the organization. 
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39. (Original) The security policy establishment apparatus according to claim 19, 
wherein the inquiry preparation means generates inquiries to be submitted to an interviewee 
in accordance with the line of the organization. 

40. (Original) The method of establishing a security policy according to claim 2, 
wherein, in the drafting step, a security policy is established on the basis of recommendations 
or regulations aimed at a specific line of business. 

4 1 . (Original) The method of establishing a security policy according to claim 1 1 , 
wherein, in the establishment step, a security policy is established on the basis of 
recommendations or regulations aimed at a specific line of business. 

42. (Original) The security policy establishment apparatus according to claim 19, 
wherein the establishment means establishes a security policy on the basis of items of 
recommendations or regulations aimed at a specific line of business. 

43. (Original) The method of establishing a security policy according to claim 2, 
wherein, in the drafting step, a security policy is established on the basis of items of global 
guidelines of one or a plurality of types prescribed by a user. 

44. (Original) The method of establishing a security policy according to claim 43, 
wherein, in the inquiry preparation step, inquiries are generated on the basis of items of global 
guidelines of one or a plurality of types prescribed by a user. 

45. (Original) The method of establishing a security policy according to claim 1 1, 
wherein, in the establishment step, a security policy is established on the basis of items of 
global guidelines of one or a plurality of types prescribed by a user. 

46. (Original) The method of establishing a security policy according to claim 45, 
wherein, in the inquiry preparation step, inquiries are generated on the basis of items of global 
guidelines of one or a plurality of types prescribed by a user. 
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47. (Original) The security policy establishment apparatus according to claim 19, 
wherein the establishment means establishes a security policy on the basis of items of global 
guidelines of one or a plurality of types prescribed by a user. 

48. (Original) The security policy establishment apparatus according to claim 47, 
wherein the inquiry preparation means generates inquiries to be submitted to interviewees, on 
the basis of items of global guidelines of one or a plurality of types prescribed by a user. 

49. (Original) The method of establishing a security policy according to claim 2, 
wherein, in the establishment step, a security policy is established on the basis of an indicator 
of rigorousness of security policy prescribed by the user. 

50. (Original) The method of establishing a security policy according to claim 49, 
wherein, in the inquiry preparation step, the inquiries are generated on the basis of an 
indicator of rigorousness of security policy prescribed by the user. 

5 1 . (Original) The method of establishing a security policy according to claim 11, 
wherein, in the establishment step, a security policy is established on the basis of an indicator 
of rigorousness of security policy prescribed by the user. 

52. (Original) The method of establishing a security policy according to claim 5 1 , 
wherein, in the inquiry preparation step, the inquiries are generated on the basis of an 
indicator of rigorousness of security policy prescribed by the user. 

53. (Original) The security policy establishment apparatus according to claim 19, 
wherein the establishment means establishes a security policy on the basis of an indicator of 
rigorousness of security policy prescribed by the user. 

54. (Original) The security policy establishment apparatus according to claim 53, 
wherein the inquiry preparation means generates inquiries, on the basis of an indicator of 
rigorousness of security policy prescribed by the user. 
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55. (Withdrawn) A security policy rigorousness adjustment method for adjusting 
the level of rigorousness of a security policy, comprising: 

a rigorousness adjustment step of replacing the rules which have been 
determined not to match the indicator of rigorousness prescribed by a user with rules 
matching the indicator; and 

a merge and output step of merging the rules matching the indicator of 
rigorousness from the beginning with the rules that in the rigorousness adjustment step have 
replaced the rules not matching the indicator and of outputting the merged rules. 

56. (Withdrawn) A security policy rigorousness adjustment apparatus for 
adjusting the level of rigorousness of a security policy, comprising: 

rigorousness adjustment means for replacing the rules which have been 
determined not to match the indicator of rigorousness prescribed by a user with rules 
matching the indicator; and 

merge and output means for merging the rules matching the indicator of 
rigorousness from the beginning with the rules which in the rigorousness adjustment means 
have replaced the rules not matching the indicator and for outputting the merged rules. 

57. (Currently Amended) A method of establishing a security policy of a 
predetermined organization, comprising: 

an inquiry preparation step of generating inquiries which pertain to items 
required for establishing a security policy of the organization and are to be submitted to 
members of the organization; 

an inquiry step of submitting the generated inquiries to the members; 

a storage step of storing answers into a storage means; 
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an answer acquisition step of acquiring from the members answers to the 

inquiries , integrating the member answers and storing the member answers into the storage 
means : and 

an establishment step of establishing a security policy draft on the basis of the 
answers stored in the storage means , wherein, in the establishment step, a security policy 
within a range of establishment prescribed by the user is established. 

58. (Original) The method of establishing a security policy according to claim 57, 
wherein, in the inquiry preparation step, inquiries pertaining to the range of establishment 
prescribed by the user are generated. 

59. (Currently Amended) A security policy establishment apparatus for 
establishing a security policy of a predetermined organization, comprising: 

inquiry preparation means for generating inquiries which pertain to items 
required for establishing a security policy of the organization and are to be submitted to 
members of the organization; 

storage means for storing answers to the generated inquiries; 

answer archival storage means for acquiring answers to the generated 
inquiries , integrating the answers and storing the answers into the storage means; and 

establishment means for establishing a security policy within the range of 
establishment prescribed by the user. 

60. (Original) The security policy establishment apparatus according to claim 59, 
wherein the inquiry preparation means generates inquiries pertaining to the range of 
establishment prescribed by the user. 

61 . (Original) A computer-readable recording medium having recorded thereon a 
program for causing a computer to perform: 
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inquiry preparation procedures for generating inquiries which pertain to items 
required for establishing a security policy of the organization and are to be submitted to 
members of the organization; 

answer archival procedures for entering answers to the generated inquiries and 
storing the answers into storage means; and 

establishment procedures for establishing a security policy on the basis of the 
answers stored in the storage means. 

62. (Original) The recording medium according to claim 61, wherein, in the 
inquiry preparation procedures, inquiries to be submitted to interviewees are generated on the 
basis of job specifications of the interviewees. 

63. (Original) The recording medium according to claim 61, wherein, in the 
answer archival procedures, the answers acquired from a single member from among the 
acquired answers are integrated, and the integrated answers are stored into the storage means 
as answers of a single member to be inquired; or 

weights are assigned to answers according to job specifications of the 
members to be inquired if contradictory answers are included in the answers, to thereby 
estimate final answers and display the estimated final answers. 

64. (Original) The recording medium according to claim 61, wherein, in the 
inquiry preparation procedures, inquiries to be submitted to the interviewees are generated on 
the basis of the line of business of the organization. 

65. (Original) The recording medium according to claim 61, wherein, in the 
establishment procedures, a security policy is established on the basis of items of global 
guidelines of one or a plurality of types prescribed by a user. 
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66. (Original) The recording medium according to claim 61, wherein, in the 
inquiry preparation procedures, the inquiries are generated on the basis of an indicator of 
rigorousness of security policy prescribed by the user. 

67. (Original) The recording medium according to claim 61, wherein, in the 
establishment procedures, a security policy within a range of establishment prescribed by the 
user is established. 

68. (Withdrawn) A computer-readable recording medium having recorded thereon 
a program for causing a computer to perform: 

inquiry preparation procedures for outputting inquiries which pertain to items 
required for evaluating the degree of maturity of security of a predetermined organization and 
are to be submitted to members of the organization; 

answer archival procedures for entering answers to the outputted inquiries and 
storing the answers into storage means; and 

security maturity preparation procedures for preparing a security maturity 
report representing the degree of maturity of security, on the basis of the answers stored in the 
storage means. 

69. (Withdrawn) The recording medium according to claim 68, wherein the 
inquiry preparation means generates inquiries to be submitted to interviewees, on the basis of 
job specifications of the interviewees. 

70. (Withdrawn) A computer-readable recording medium having recorded thereon 
a program for causing a computer to perform: 

contradiction inspection procedures for inspecting whether or not contradiction 
exists between individual answers submitted in response to inquiries which pertain to items 
required for ascertaining a difference between a security policy of the predetermined 
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organization and an information system of the organization and which have been submitted to 
members of a predetermined organization; and 

contradiction output procedures for outputting information about the inspected 

contradiction. 

71 . (Withdrawn) The recording medium according to claim 70, further 
comprising: 

indicating procedures for indicating the contradictions on the basis of the 
information about contradiction; 

establishment procedures for virtually establishing the configuration of an 
information system of the organization, on the basis of the answers free of contradictions; and 

difference output procedures for outputting a difference between the 
configuration of the virtually-established information system and the security policy, obtained 
by means of comparison. 

72. (Withdrawn) A computer-readable recording medium having recorded thereon 
a program for causing a computer to perform: 

rigorousness adjustment procedures for replacing the rules which have been 
determined not to match the indicator of rigorousness prescribed by a user with rules 
matching the indicator of rigorousness; and 

merge and output procedures for merging the rules matching the indicator of 
rigorousness from the beginning with the rules which in the rigorousness adjustment 
procedure have replaced the rules not matching the indicator and for outputting the merged 
rules. 
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73. (Original) A program for causing a computer to perform: 

inquiry preparation procedures for generating inquiries which pertain to items 
required for establishing a security policy of a predetermined organization and are to be 
submitted to members of the organization; 

answer archival procedures for entering answers to the generated inquiries and 
storing the answers into storage means; and 

establishment procedures for establishing a security policy on the basis of the 
answers stored in the storage means. 

74. (Original) The program according to claim 73 5 wherein, in the inquiry 
preparation procedures, inquiries to be submitted to interviewees are generated on the basis of 
job specifications of the interviewees. 

75. (Original) The program according to claim 73, wherein, in the answer archival 
procedures, the answers acquired from a single member from among the acquired answers are 
integrated, and the integrated answers are stored into the storage means as answers of a single 
member to be inquired; or 

weights are assigned to answers according to job specifications of the 
members to be inquired if contradictory answers are included in the answers, to thereby 
estimate final answers and display the estimated final answers. 

76. (Original) The program according to claim 73, wherein, in the inquiry 
preparation procedures, inquiries to be submitted to the interviewees are generated on the 
basis of the line of business of the organization. 

77. (Original) The program according to claim 73, wherein, in the establishment 
procedures, a security policy is established on the basis of items of global guidelines of one or 
a plurality of types prescribed by a user. 
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78. (Original) The recording medium according to claim 73, wherein, in the 
inquiry preparation procedures, the inquiries are generated on the basis of an indicator of 
rigorousness of security policy prescribed by the user. 

79. (Original) The recording medium according to claim 73, wherein, in the 
establishment procedures, a security policy within a range of establishment prescribed by the 
user is established. 

80. (Withdrawn) A program for causing a computer to perform: 

inquiry preparation procedures for outputting inquiries which pertain to items 
required for evaluating the degree of maturity of security of a predetermined organization and 
are to be submitted to members of the organization; 

answer archival procedures for entering answers to the outputted inquiries and 
storing the answers into storage means; and 

security maturity preparation procedures for preparing a security maturity 
report representing the degree of maturity of security, on the basis of the answers stored in the 
storage means. 

8 1 . (Withdrawn) A program for causing a computer to perform: 
contradiction inspection procedures for inspecting whether or not contradiction 

exits between individual answers in response to inquiries which pertain to items required for 
ascertaining a difference between a security policy of the predetermined organization and an 
information system of the organization and which have been submitted to members of a 
predetermined organization; and 

contradiction output procedures for outputting information about the inspected 

contradiction. 
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82. (Withdrawn) The program according to claim 81, further comprising: 
matching procedures for matching the answers on the basis of the information 

about contradiction, thus producing answers free of contradiction; 

establishment procedures for virtually establishing the configuration of an 
information system of the organization, on the basis of the answers produced by the matching 
procedure; and 

difference output procedures for outputting a difference between the 
configuration of the virtually-established information system and the security policy, obtained 
by means of comparison. 

83. (Withdrawn) A program for causing a computer to perform: 
level-of-rigorousness inspection procedures for inspecting whether or not 

individual rules of the security policy match an indicator of rigorousness prescribed by a user; 

rigorousness adjustment procedures for replacing the rules which have been 
determined not to match the indicator in the level-of-rigorousness inspection procedure with 
rules matching the indicator of rigorousness; and 

merge and output procedures for merging the rules matching the indicator of 
rigorousness from the beginning with the rules which in the rigorousness adjustment 
procedure have replaced the rules not matching the indicator and for outputting the merged 
rules. 
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